IT Security News & Blog

Are You Really Still Using Tripwire Enterprise?

Posted: 22 November 2018

Heavy is the head that wears the crown, is the old saying which comes to mind when I think of Tripwire Enterprise. A solution which has sat at the top of its game for so long that there is only conceivable one direction left.

Having spoken with many a former and present Tripwire Enterprise customer over the past twelve months, a couple of points are consistently raised about a perceived lack of development in the solution.

In this blog, we will explore some of these challenges which Tripwire Enterprise customers face and how alternative solutions are providing an answer.

Overwhelming Quantities of Change Noise

Number one on our list is the concept of change noise. Whereby benign or unimportant changes are logged in the Tripwire Enterprise system; and possibly alerts generated for.

Of course change detection and alerting is the core purpose of FIM (File Integrity Monitoring) solutions, however most security teams are not interested in Windows Updates or patching for well-known applications.

FIM solutions which do not have a change noise minimisation capability, put all changes together and leave the security team to decipher the results. Sifting through hundreds, possibly thousands of changes looking for something suspicious is an tedious task, if not impossible.

But...will your team be able to spot the one malicious change which could result in an outage or breach, amongst the noise? A needle in a haystack comes to mind.

Alternative solutions such as NNTs F.A.S.T. service, use a database of billions of known harmless changes, which is compared against. Only those not present in the database remain for investigation.

Heavy Reliance on Java

I must admit that I have a particular dislike for Java which means that no solution using this outdated technology would be favourable in my eyes.

Tripwire Enterprise and specifically its agents are Java based, with each agent requiring the JRE (Java Runtime Environment). One thing that really bugs me and some of the customers which we spoke with, is that the JRE is constantly requiring security patching. Adding additional overhead on already stretched IT staff.

Pair this with point one, regarding change noise and not only do you have a number of JREs to update every week but you will also be notified by Tripwire Enterprise that you applied the patch.

Additional work and more useless alerting.

Great job.

To be fair to Tripwire, they have released a new agent which no longer relies on the JRE. But, with hundreds of thousands if not millions of agents to be updated, a JRE based agent is still a reality for most.

Difficult User Interface and Poor Usability

A significant challenge for many Tripwire Enterprise customers is that the user interface is particularly difficult to get along with. We hear this complaint a lot!

Such is the learning curve, that Tripwire Enterprise deployments often require significant amounts of professional services, which of course add to the cost of the solution.

In addition, we were told by some that they find the console so difficult that they don't really understand how the solution has been set up and so leave it for fear of losing the configuration they already have.

A quick Google Image search is all the evidence that you need to conclude that the interface seems to have been left behind in the early 2000s.

Unrecognised ServiceNow Integration

Automation and integrated services are the hottest topics for 2019 and beyond. Where two or more solutions can work together to the same aim. Eliminating the need for human interaction and increasing the reaction time.

The FIM industry is no different.

One very popular area of automation in the FIM industry is the connection to ITSM tools, which can be used to plan changes and then review the accuracy of those changes afterwards.

A popular tie-up is with industry leader ServiceNow, which Tripwire Enterprise does interact with. However, curiously their integration is not certified by ServiceNow, unlike some of their competitors.

There is no public explanation for why; and it does pose questions about how helpful ServiceNow support agents would be as a result.

NNT Change Tracker

An alternative to Tripwire Enterprise which has been very successful in addressing the challenges highlighted in this blog is NNTs Change Tracker.

A configuration management and FIM solution favoured by the likes of BNP Paribas, Bank of China, Vodafone, Arquiva, RyanAir and Walmart.

NNT Change Tracker has a change noise reduction capability which can remove up to 90% of unwanted change noise; there is not a single trace of java to be found in their solution; their integration with ServiceNow is certified and their interface has just had a overhaul in the Gen7 R2 release.